Your Safety Protocols Are Changing

16 May 2018 by Jenn Granger

It’s been a long journey, friends, but it’s time to wave farewell to TLS1.0

On Saturday 30th June, early SSL and TLS protocols, as well as older SSL ciphers will no longer be acceptable ways for people to connect to your website. The deadline set by The PCI Security Standards Council (PCI SSC) is your final chance to change these security protocols and upgrade to a super-secure platform.

This means if your website processes payments or interacts with any PCI compliant services, you’ll need to act fast.

UKFast disabled TLS1.0 and TLS1.1 on our DDoSX® network from 14th May, so we thought it was a great time to let you know how to be compliant.

Read on to find out why you need to remain PCI compliant, and how to do it.

Before you start worrying that you’ll need to replace your existing SSL and TLS certificates, it’s important to note thatcertificates are not dependent on protocols. While many vendors tend to use the phrase ‘SSL/TLS certificate’, it’s more accurate to call them ‘certificates for use with SSL and TLS’.

Protocols are determined by your server configuration, not the certificates themselves.

Wait, isn’t my website safe? Why is this happening?

There are several vulnerabilities in older SSL ciphers and early versions of TLS which allow for traffic sent over HTTPS to be intercepted by a third party to be decrypted and read.

This means that these certifications, which have traditionally been hallmarks of security for your eCommerce site – we always look out for the green padlock when we’re completing an online transaction, right? – have new versions which are now more secure than ever when connecting to PCI compliant services, making information sent this way harder to read when intercepted.

TLS1.0 connections to your website typically come from people using older web browsers on their laptops, or older mobile devices. Pretty much all browsers and mobiles from the last few years use TLS1.2, which is much more secure and the recommended standard. So while no-one running a website wants to turn customers away, unfortunately it’s in their best interests to not use outdated and insecure technology when shopping or sharing personal information online. Some older browsers and services which support TLS1.1 and 1.2 will automatically upgrade to the higher version without the user having to do anything.

Who does it affect if I am non-compliant?

The 30th June is the absolute cut-off point for disabling older SSL ciphers and TSL1.0 meaning these solutions will be obsolete. If you are not compliant by 30th June you risk losing your PCI-DSS compliance, incurring reputational damage and clients turning away from your site to shop elsewhere.

While we recommend to remove
TLS1.1, it is not required.

Consumers most likely won’t be aware of the changes that need to be made and will automatically benefit from stronger security measures, protecting their data in transit between their browsers and your site. If you use PCI compliant services (such as payment gateways) you will have to upgrade your site or face having these services no longer working.

What else will happen if I don’t comply?

It’s simple really – you will be cut off from the PCI compliant services you use.

How do I make the change?

Before the 30th June, you should follow these three key steps:

Look at the PCI SSC resources for more information about the changes and why they are happening.